Databricks Community

eshwari · Tuesday

Restricting Catalog and External Location Visibility Across Databricks Workspaces

I am facing exact similar issue, But I don't want to create separate metastore. and I have added environment name as a prefix to all external locations. All the locations are restricted to their workspaces, so functionality wise everything is fine. my concern is visibility, even though access is restricted, all external locations are still visible across all workspaces.

Is there any way to hide or scope external locations and catalogs so they are only visible within their respective workspaces, without creating separate metastores?

mark_ott · yesterday

You can hide or scope external locations and catalogs so they are only visible within their respective Databricks workspaces—even when using a shared metastore—by using "workspace binding" (also called isolation mode or workspace-catalog/workspace-external location binding). This does not require the creation of separate metastores.

Workspace Binding for External Locations

By default, all external locations are visible to all workspaces that share the same metastore, although access can be restricted by permissions.
You can restrict the visibility so that only specific workspaces see certain external locations by binding the external location to a workspace using Catalog Explorer or the Databricks CLI.
When binding, unassigned workspaces will see the external location "grayed out" in the UI, but only metastore admins or external location owners will see them. Ordinary users within the workspace won't see or interact with these external locations at all.

Workspace Binding for Catalogs

Workspace-catalog binding allows you to limit catalogs to only specific workspaces. This ensures that only those workspaces (and users assigned within them) can see the catalog and its contents, effectively hiding it from all other workspaces sharing the metastore.
Use Catalog Explorer or Databricks CLI to assign catalogs to particular workspaces.
To enable isolation, clear the "All workspaces have access" option and explicitly list the workspaces allowed to access the catalog. Catalogs not assigned will be grayed out and inaccessible to other users, except for metastore admins or catalog owners.

CLI Examples

To set an external location to "ISOLATED" mode and assign it to specific workspaces:

text

databricks external-locations update <my-location> \
  --isolation-mode ISOLATED \
  --profile <profile-name>

To bind a catalog to certain workspaces:

text

databricks catalogs update <my-catalog> \
  --isolation-mode ISOLATED \
  --profile <profile-name>
databricks workspace-bindings update-bindings catalog <my-catalog> \
  --json '{ "add": [{"workspace_id": <workspace-id>, "binding_type": <binding-type>}...] }' \
  --profile <profile-name>

Replace placeholders as appropriate for your setup.

Important Notes

Metastore admins will always have visibility into all external locations and catalogs for administration purposes, but regular users can only view those specifically assigned to their workspace.
This "workspace binding" feature addresses your use case and is the recommended approach for strong isolation while maintaining shared administration and naming conventions.
If you follow this setup, you do not need to create separate metastores to achieve per-workspace catalog and external location visibility boundaries.

For more information, see the official documentation: